We crash in nsTextInputListener::Blur in the following situation:
1. Page has a form with an onchange handler that:
a) does a document.writeln
b) tries to set the value of another text input
See attached test case.

Cool comment by frazer, explaining why Kin's suggestion wouldn't cut it. This
had me fooled too... Clearly a comment is called for (before someone else is
tricked, and "fixes" the code!).
The patch is also really hard to read in this form (I had a terrible time with
the rest of it). Please use a diff -u patch, and add the comment that there is
a possible side-effect that mframe can be modified to null during the call.
(...yes... pdt folks often review this stuff too at this late point! ;-) ).